Honor & Test TrustAll and LaxHostNameVerification

- Print a big scary warning message for everyone who enables "trustAll"
- Test TrustAll and LaxHostNameVerification
- Describe test case requirements and add key material needed to run
  these test cases.

1 files changed, 84 insertions, 19 deletions

diff --git a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java
index 7c9bf7d..bd68d9d 100644
--- a/src/test/java/at/gv/egiz/moazs/MsgClientTest.java
+++ b/src/test/java/at/gv/egiz/moazs/MsgClientTest.java
@@ -4,9 +4,9 @@ import at.gv.egiz.moazs.msg.MsgClientFactory;
 import at.gv.egiz.moazs.msg.StoreSOAPBodyBinaryInRepositoryInterceptor;
 import at.gv.egiz.moazs.scheme.Marshaller;
 import at.gv.zustellung.app2mzs.xsd.ClientType;
+import at.gv.zustellung.app2mzs.xsd.KeyStoreType;
 import at.gv.zustellung.msg.xsd.DeliveryRequestType;
 import at.gv.zustellung.msg.xsd.ObjectFactory;
-import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -20,6 +20,7 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.math.BigInteger;
 
+import static at.gv.zustellung.app2mzs.xsd.ClientType.clientTypeBuilder;
 import static at.gv.zustellung.app2mzs.xsd.KeyStoreType.keyStoreTypeBuilder;
 import static at.gv.zustellung.app2mzs.xsd.SSLType.SSLTypeBuilder;
 
@@ -43,14 +44,19 @@ public class MsgClientTest {
     private static final ObjectFactory OF = new ObjectFactory();
 
 
-    // this test requires that a zusemsg service runs under httpServiceUri!
     // tmp disabled. todo: set up integration tests
+
+    // Requirements:
+    // - run zusemsg service under httpServiceURL
     // @Test
     public void sendValidMessage() throws IOException {
 
         var request = loadFromFile("validDeliveryRequest.xml");
-        var httpServiceUri =  "http://localhost:8081/services/DeliveryRequest";
-        var clientParams = generateClientParams(httpServiceUri);
+        var httpServiceURL =  "http://localhost:8081/services/DeliveryRequest";
+        var clientParams = clientTypeBuilder()
+                .withURL(httpServiceURL)
+                .build();
+
         var client = factory.create(clientParams);
 
         try{
@@ -61,20 +67,79 @@ public class MsgClientTest {
         }
     }
 
+    // Requirements:
+    // - run zusemsg service under httpsServiceURL
+    // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem)
+    // - server uses the server certificate in ssl/server/server.localhost.*.pem
+    // - server sends certificate chain ssl/server/ca-chain.cert.pem
+    //@Test
+    public void sendOverSSLWithClientAuthentication() throws IOException {
+
+        var request = loadFromFile("validDeliveryRequest.xml");
+        var httpsServiceURL = "https://localhost/zusemsg/services/DeliveryRequest";
+
+        var clientParams = generateSSLClientParams(httpsServiceURL, false, false);
+        var client = factory.create(clientParams);
+
+        var status = client.delivery(request);
+        log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status)));
+    }
+
+    // Requirements:
+    // - run zusemsg service under httpsServiceURL
+    // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem)
+    // - server uses the server certificate in ssl/server/server.localhost.*.pem
+    // - server sends certificate chain ssl/server/ca-chain.cert.pem
     //@Test
-    public void sendValidMessageSSL() throws IOException {
+    public void sendOverSSLWithTrustAll() throws IOException {
 
         var request = loadFromFile("validDeliveryRequest.xml");
         var sslServiceUri = "https://localhost/zusemsg/services/DeliveryRequest";
-        var clientParams = generateSSLClientParams(sslServiceUri);
+
+        var clientParams = generateSSLClientParams(sslServiceUri, true, false);
+        var client = factory.create(clientParams);
+
+        var status = client.delivery(request);
+        log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status)));
+    }
+
+    // Requirements:
+    // - run zusemsg service under httpsServiceURL (e.g. by adding notlocalhost to /etc/hosts)
+    // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem)
+    // - server uses the server certificate in ssl/server/server.localhost.*.pem
+    // - server sends certificate chain ssl/server/ca-chain.cert.pem
+    //@Test
+    public void sendOverSSLWithLaxHostnameVerification() throws IOException {
+
+        var request = loadFromFile("validDeliveryRequest.xml");
+        var sslServiceUri = "https://notlocalhost/zusemsg/services/DeliveryRequest";
+
+        var clientParams = generateSSLClientParams(sslServiceUri, false, true);
         var client = factory.create(clientParams);
 
         var status = client.delivery(request);
         log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status)));
+    }
+
+    //Requirements:
+    // - run zusemsg service under httpsServiceURL (e.g. by adding notlocalhost to /etc/hosts)
+    // - server trusts client cert (by trusting CA bundle in ssl/trusted-cas-bundle.pem)
+    // - server uses the server certificate in ssl/server/server.localhost.*.pem
+    // - server sends certificate chain ssl/server/ca-chain.cert.pem
+    //@Test(expected=SOAPFaultException.class)
+    public void rejectBecauseHostNameVerificationFails() throws IOException {
+
+        var request = loadFromFile("validDeliveryRequest.xml");
+        var sslServiceUri = "https://notlocalhost/zusemsg/services/DeliveryRequest";
 
+        var clientParams = generateSSLClientParams(sslServiceUri, false, false);
+        var client = factory.create(clientParams);
+
+        var status = client.delivery(request);
+        log.info("status: " + msgMarshaller.marshallXml(OF.createDeliveryRequestStatus(status)));
     }
 
-    private ClientType generateSSLClientParams(String sslServiceUri) {
+    private ClientType generateSSLClientParams(String sslServiceUri, boolean trustAll, boolean laxHostNameVerification) {
 
         var keystore = keyStoreTypeBuilder()
                 .withFileName("ssl/client.cert.key.p12")
@@ -82,20 +147,16 @@ public class MsgClientTest {
                 .withPassword("123456")
                 .build();
 
-        var truststore = keyStoreTypeBuilder()
-                .withFileName("ssl/truststore.jks")
-                .withPassword("123456")
-                .withFileType("JKS")
-                .build();
+        var truststore = trustAll ? null : generateTrustLocalhostStore();
 
         var sslParams = SSLTypeBuilder()
-                .withLaxHostNameVerification(false)
-                .withTrustAll(false)
+                .withLaxHostNameVerification(laxHostNameVerification)
+                .withTrustAll(trustAll)
                 .withKeyStore(keystore)
                 .withTrustStore(truststore)
                 .build();
 
-        return ClientType.clientTypeBuilder()
+        return clientTypeBuilder()
                 .withURL(sslServiceUri)
                 .withSSL(sslParams)
                 .withReceiveTimeout(BigInteger.ZERO)
@@ -104,6 +165,14 @@ public class MsgClientTest {
 
     }
 
+    private KeyStoreType generateTrustLocalhostStore() {
+        return keyStoreTypeBuilder()
+                .withFileName("ssl/truststore.jks")
+                .withPassword("123456")
+                .withFileType("JKS")
+                .build();
+    }
+
     private DeliveryRequestType loadFromFile(String fileName) throws IOException {
         try (var inputStream = new BufferedInputStream(new FileInputStream(basePath + fileName))) {
             var request = (JAXBElement<DeliveryRequestType>) msgMarshaller.unmarshallXml(inputStream);
@@ -111,8 +180,4 @@ public class MsgClientTest {
         }
     }
 
-    private ClientType generateClientParams(String url) {
-        return ClientType.clientTypeBuilder().withURL(url).build();
-    }
-
 }